CVE-2025-2099
MEDIUM5.3EPSS 0.09%Hugging Face Transformers Regular Expression Denial of Service
Published: 5/19/2025Modified: 9/25/2025
Description
A Regular Expression Denial of Service (ReDoS) exists in the `preprocess_string()` function of the `transformers.testing_utils` module. In versions **before 4.50.0**, the regex used to process code blocks in docstrings contains nested quantifiers that can trigger catastrophic backtracking when given inputs with many newline characters. An attacker who can supply such input to `preprocess_string()` (or code paths that call it) can force excessive CPU usage and degrade availability. **Fix:** released in **4.50.0**, which rewrites the regex to avoid the inefficient pattern. ([GitHub][1]) * **Affected:** `< 4.50.0` * **Patched:** `4.50.0`
Affected packages (2)
- PyPI/transformersfrom 0, < 4.50.0
- PyPI/transformersfrom 0, < 8cb522b4190bd556ce51be04942720650b1a3e57 | from 0, < 4.49.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-2099
- PATCHhttps://github.com/huggingface/transformers
- WEBhttps://github.com/huggingface/transformers/commit/8cb522b4190bd556ce51be04942720650b1a3e57
- WEBhttps://github.com/huggingface/transformers/pull/36648
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/transformers/PYSEC-2025-40.yaml
- WEBhttps://huntr.com/bounties/97b780f3-ffca-424f-ad5d-0e1c57a5bde4